olly - Fotolia

How and why to conduct a cyber threat and risk analysis

An ethical hacker’s insights into how and why organisations should conduct a cyber threat and risk analysis based on nine years’ experience conducting penetration tests for hundreds of organisations

Cyber attacks are no longer single events, but a sustained campaign by increasingly sophisticated attackers that use a combination of social engineering and technical skill to penetrate your network and gain access to your most important assets. This increase in the complexity and skill level of the adversary means that there is no single solution to preventing cyber attacks.

Traditional security spending focuses on introducing another protective or detective product, but this no longer effective in isolation. There needs to be an overall cyber security strategy focused on cyber resilience, and driven by a threat-led approach that focuses on the key assets of the organisation, and the motivations and capabilities of the most likely attackers.

Security budgets are limited, and this approach allows you to focus these limited resources more effectively to protect the assets that are most likely to be targeted.

In order to establish a baseline for a threat-led cyber strategy, it is useful to perform a threat and risk analysis exercise. Threat intelligence is used to gain a picture of the current landscape and the methods attackers are using. In the long term, this information can be purchased as a threat intelligence feed that provides you with analysis specific to your industry sector.

However, this requires that you have staff in place that can understand this information, disseminate it in digestible form to the right people, and act on it in terms of the overall cyber security strategy. If this is your organisation’s first step into a threat-led approach to cyber security, then it unlikely you will have these resources in place.

Instead, we can use consultancy to take the place of the threat intelligence, taking advantage of the consultant’s knowledge to provide both the intelligence and the analysis specific to your sector. This process needs to be collaborative, working alongside key individuals in your business that have the most knowledge about how you operate, what assets are held, and their criticality to the business.

The aim of the process is to establish the key assets, likely attackers and their motivations and capabilities, the controls defending these assets, and how we can mitigate vulnerabilities that affect them.

Key assets

The first step is to establish what the likely targets of a cyber attack would be. These assets are likely to be very specific to your organisation, and this is why it is important that the threat and risk analysis process is collaborative. Sophisticated cyber attackers do not infiltrate your network without a specific intent, and that intent is usually to access data that you store that holds interest to them.

The value of this information is relative to the motivation of the attacker; for example, to a nation state attacker, intellectual property is a prime target. This may hold limited value to a hacktivist group that is targeting your business because their motivation is to cause damage to your brand and reputation. To them, a key asset might be your website content management system, which if compromised would allow them to publish their logo on your customer-facing site.

Once a list of key assets has been established, we need to determine where they are stored and who has access to them. It is likely the assets are stored in many more places than you would first think. Intellectual property may be stored on a file server on the organisation’s main network, but this server will be also backed up to another server.

If the information is accessed through a web application, then it may be possible that users have requested exports of this data that is then stored on their local desktops. If the web application is cloud-based, then that intellectual property is stored in a datacentre that is not under your direct control.

Having mapped out the location of the key assets, we now need to establish who has access to them. Ideally, we want to ensure that the minimum number of people have access to this data. This is because the more people that have access, the greater the potential attack surface, either through an insider attack (someone with legitimate access to the data compromises it), or due to an outside attacker compromising a user’s account.

The number of people that have access to the data is nearly always more than strictly necessary; for example, IT staff usually have superuser accounts that allow them to access all data on the network.

Threat actors

Cyber attackers, or threat actors, have distinct motivations and capabilities that drive the assets they will seek to compromise and the methods they will use to achieve their goal. The main threat actor groups are cyber criminals, nation states, hacktivists and insiders. These groups can be expanded into sub-categories, and each distinct entity in these groups may have subtly different motivations and capabilities.

There are also likely to be additional threat actors that are specific to your organisation or sector, and these can be identified and analysed during the threat and risk analysis. These threat actors are then ranked in order of their motivation, capability and likelihood of them targeting your organisation, assigning each a value to determine their overall threat to the organisation.

Taking cyber criminals as an example, they are primarily motivated by profit and can be highly capable, deploying custom-made malware to penetrate your network. The assets they target will be any valuable data that can be encrypted, especially if they can also encrypt the backups.

Read more about threat intelligence

  • How to use threat intelligence in your business.
  • There are five key challenges to cyber threat intelligence sharing, according to a report by McAfee Labs.
  • Threat intelligence tools are a growing market, and enterprises need to be able to see through the hype to get the best product for them.
  • Learn how threat intelligence services benefit enterprise security and how to subscribe to the right threat intelligence service.

Their primary delivery method is email phishing, using social engineering techniques to trick staff into believing the email is a legitimate supplier invoice that needs to be paid, or a file attachment that needs to be opened that then encrypts the network with ransomware.

Once completed, the analysis will provide us with a list of the most likely threat actors that will target your organisation, and the methods they employ. This will allow the next stage of the analysis, identifying controls and vulnerabilities, to be approached with a focus on the most direct and viable threats.

Controls and vulnerabilities

Cyber resilience requires the organisation to have the ability to detect and mitigate threats, but also to be able to monitor and respond to successful cyber attacks. The threat and risk analysis has established the organisation’s vital assets, and a prioritised list of the threat actors, their motivation and capabilities.

The next step is to determine the controls that already exist to prevent, detect and respond to these threats. This involves talking to IT and information security. By comparing these controls against the capabilities and methods used by the likely threat actors, we can identify vulnerabilities that exist in the both in the organisation’s processes controls.

Continuing the example of the cyber criminal threat actor, likely vulnerabilities in the organisation’s resilience to this type of attacker include a lack of staff awareness training, a weakness in the backup process that means no off-site storage is used, and excessive permissions on key data.

Recommended actions

The output of the exercise is a list of recommendations on how the organisation can address the vulnerabilities that were identified so they can be better prepared for the attacks they are most likely to face, using the threat-based assessment of the various potential threat actors.

These recommendations should also form the basis of a cyber security framework specifically tailored to your organisation, that can be used to plan the cyber security strategy and spending over the next few years.


A threat and risk analysis provides the organisation with the information it needs to correctly focus their cyber security strategy and budget. No organisation can defend against every conceivable threat, and it therefore makes sense to prioritise the threats by the most likely to target your specific business, and then make informed decisions on how to prevent and detect those threats.

This approach needs to be integrated into a cyber resilience strategy that not only allows the organisation to prevent these threats, but also respond appropriately when defensive measures are defeated.

Read more on IT risk management